Win2K without IE5.5 or 6.0 is no longer secure ?

From: Bronek Kozicki (brok@RUBIKON.PL)
Date: 12/18/01


Date:         Tue, 18 Dec 2001 14:24:23 +0100
From: Bronek Kozicki <brok@RUBIKON.PL>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hi

While reading comments on security bulletin MS01-058 (actually, it was
Daryl Maunder's email sent today to ms-focus@securityfocus.com mailing
list) it hit me that Microsoft discontinued its support for IE5.0 (you
may see it listed at
http://support.microsoft.com/directory/discontinue.asp ) . It
effectively forces all administrators out there to install IE5.5 or
IE6.0 on all their Windows 2000 workstations AND servers. Let me
explain: Windows 2000 comes with IE5.0 built-in, and no Service Pack nor
hotfix upgrades it to IE5.5 (or IE6) . Service Pack 2 upgrades IE to
version 5.01 SP2, but support for this version is also DISCONTINUED.
There is also no (supported by Microsoft) way to uninstall IE5.0 from
Windows 2000, nor any other way to make sure it will never be used on
secured machine.

In my understanding it means that the only secure way to install Win2K
is :
- install system
- install Service Pack 2
- install all necessary hotfixes (including MS01-007, MS01-041 ,
MS01-044 etc.)
- install IE5.5 or IE6.0
- install IE hotfixes (like MS01-058)
... and because there is no (supported by MS) way to be 100% sure that
IE will never be used at the server, you need to install IE5.5 (or 6.0)
even there! There is also question: is Microsoft going to include IE5.5
or 6.0 to Service Pack 3 for Windows 2000 ? If no, then you will always
need to take this extra step (installing IE 5.5 or 6.0) when securing
Win2K machine! Simply stating: you need to install IE5.5 or 6.0 and
patch it, in order to secure your server. Always. Other way is not only
insecure; its also apparently unsupported by Microsoft!

I do not like this, no at all .... I also wonder what does it mean for
Microsoft's anti-monopoly case ?

What do you think ?

B.

PS sorry for my poor English. I'm bit nervous, as I have plenty Win2K
servers around to care about ...

============================================================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
Protect your servers with 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will
learn everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016065650057000
============================================================================



Relevant Pages

  • Critical Alert Update - W32.Slammer
    ... PSS Security Response Team Alert - Update: ... SP2, and Microsoft SQL Desktop Engine Version (MSDE) 2000 RTM, Microsoft SQL ... and all applications that install Microsoft SQL Desktop ...
    (microsoft.public.security)
  • Critical Alert Update - W32.Slammer
    ... PSS Security Response Team Alert - Update: ... SP2, and Microsoft SQL Desktop Engine Version (MSDE) 2000 RTM, Microsoft SQL ... and all applications that install Microsoft SQL Desktop ...
    (microsoft.public.sqlserver.security)
  • RE: I cant run the routing and remote access wizard
    ... A suggestion would be to contact Microsoft Product Support Services via ... Microsoft CSS Online Newsgroup Support ... Some other updates fail to install eg kb ... |> Tools to Maintenance, change Intranet component to Remove, and then ...
    (microsoft.public.windows.server.sbs)
  • Re: Microsoft notice on W32.Slammer
    ... >PSS Security Response Team Alert - New Worm: ... >1434 utilizing a vulnerability that was patched in Microsoft Security ... > Microsoft, however, recommends that customers install the most recent ... >cumulative security patch for Microsoft SQL Server 2000 which is Microsoft ...
    (microsoft.public.sqlserver.security)
  • RE: [Full-Disclosure] FW: Microsoft Security Bulletin MS03-035: Flaw in Microsoft Word Could Enable
    ... receive the same cryptic error message if you try to install SP2 but SP1 ... > should review my security settings. ... Microsoft Word supports the use of macros to allow ... >> has a security model designed to validate whether a macro should be ...
    (Full-Disclosure)